In a significant cybersecurity development, Microsoft has confirmed that Chinese state-sponsored hacking groups are actively exploiting critical zero-day vulnerabilities in on-premises SharePoint servers. This revelation has prompted urgent security advisories for organizations worldwide.
Overview of the Exploitation Campaign
The exploitation centers around two newly identified vulnerabilities: CVE-2025-53770 and CVE-2025-53771. CVE-2025-53770 is particularly concerning as it combines authentication bypass and remote code execution capabilities, allowing attackers to gain unauthorized access and execute arbitrary code on affected systems. CVE-2025-53771 addresses security bypass issues related to the previously disclosed CVE-2025-49706. These vulnerabilities specifically target on-premises SharePoint Server installations, including SharePoint Server 2016, 2019, and SharePoint Subscription Edition. Notably, SharePoint Online in Microsoft 365 remains unaffected.
Details of the Attacks
Microsoft’s security researchers have observed that attackers are conducting reconnaissance through crafted POST requests to the ToolPane endpoint. Following successful exploitation, malicious web shells named spinstall0.aspx and its variants are deployed. These web shells are then used to extract critical ASP.NET MachineKey data, enabling persistent access to compromised systems and facilitating potential lateral movement within target networks.
Identified Threat Actors
Three distinct Chinese state-sponsored threat groups have been identified as primary exploiters of these vulnerabilities:
1. Linen Typhoon: Active since 2012, this group has focused on intellectual property theft targeting government, defense, and human rights organizations.
2. Violet Typhoon: Operational since 2015, Violet Typhoon specializes in espionage against former government personnel, NGOs, and educational institutions across the United States, Europe, and East Asia.
3. Storm-2603: A China-based actor with medium confidence assessment, noted for deploying Warlock and Lockbit ransomware in previous campaigns.
The exploitation attempts began as early as July 7, 2025, with threat actors leveraging these vulnerabilities for initial access before deploying PowerShell-based payloads and establishing persistence mechanisms.
Global Impact and Affected Systems
The scale of this cyber-espionage campaign is substantial. Cybersecurity firm Eye Security reported scanning more than 8,000 SharePoint servers globally, with findings indicating that at least several dozen had been compromised. The attacks commenced on July 18, 2025, primarily targeting U.S. and German government agencies, as well as private firms, including an energy operator in California and a fintech company in New York. The compromised systems potentially number more than 9,000 SharePoint servers globally, including networks in sectors such as auditing, banking, healthcare, industry, and governmental bodies. Notably, the U.S. National Nuclear Security Administration was among those affected, though no classified data is believed to have been compromised.
Microsoft’s Response and Mitigation Measures
In response to these active exploits, Microsoft has released critical security updates for all supported SharePoint versions. Organizations are strongly urged to apply these patches immediately to prevent further intrusions. The specific updates include:
– KB5002768: For SharePoint Server Subscription Edition
– KB5002754 and KB5002753: For SharePoint 2019
– KB5002760 and KB5002759: For SharePoint 2016
In addition to applying these patches, Microsoft recommends the following mitigation steps:
1. Enable Antimalware Scan Interface (AMSI) in Full Mode: This integration helps detect and block malicious activities.
2. Deploy Microsoft Defender Antivirus: Ensure that all SharePoint servers have up-to-date antivirus protection.
3. Rotate ASP.NET Machine Keys: After rotating the keys, restart Internet Information Services (IIS) to apply the changes.
4. Deploy Microsoft Defender for Endpoint or Equivalent Solutions: These tools can detect post-exploitation activities and provide additional layers of security.
For systems that cannot be patched immediately, Microsoft advises temporarily disconnecting them from internet access until the necessary security updates can be applied.
Broader Implications and Recommendations
This incident underscores the growing scale and complexity of modern cyber threats, particularly those orchestrated by state-sponsored actors. The exploitation of critical infrastructure components like SharePoint servers highlights the need for organizations to adopt a proactive and comprehensive approach to cybersecurity.
Organizations are encouraged to:
– Conduct Regular Security Audits: Regularly assess systems for vulnerabilities and ensure that all software is up to date.
– Implement Multi-Factor Authentication (MFA): Enhance access controls to prevent unauthorized access.
– Monitor Network Traffic: Utilize intrusion detection systems to identify and respond to suspicious activities promptly.
– Educate Employees: Provide ongoing training on cybersecurity best practices to reduce the risk of social engineering attacks.
By taking these steps, organizations can better protect themselves against sophisticated cyber threats and minimize the potential impact of such attacks.
